> http://jya.com/bxa123096.txt This stuff is hilarious! Well worth skimming through... Encryption products, when used outside the United States, can jeopardize our foreign policy and national security interests. Moreover, such products, when used by international criminal organizations, can threaten the safety of U.S. citizens here and abroad, as well as the safety of the citizens of other countries. The exportation of encryption products must be controlled to further U.S. foreign policy objectives, and promote our national security, including the protection of the safety of U.S. citizens abroad. (I live in Canada, and I use encryption -- I wasn't aware that I was jeopardizing U.S. national security) This interim rule also amends the Export Administration Regulations by requiring a license for exports and reexports to all destinations, except Canada, of certain encryption items controlled for EI reasons. (Cool, it looks like I'm special) Note that the one-time review is for a determination to release encryption software in object code only. (So much for ever being able to export free-software encryption) Producers would commit to produce key recovery products. Others would commit to incorporate such products into their own products or services. Plans will be evaluated in consideration of good faith efforts by the exporter to promote key recovery products and infrastructure. Such efforts can include: the scale of key recovery research and development, product development, and marketing plans; significant steps to reflect potential customer demand for key recovery products in the firm's encryption-related business; and how soon a key recovery agent will be identified. (ie. if you've got big bucks - you can skirt the regulations a bit) (now for the best part) I have determined that the export of encryption products described in this section may harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests. (so basically, revealing the fact that encryption products are already available outside of the U.S. to a U.S. court would jeopardize national security, so U.S. courts are not allowed to even consider this fact) (we better not mention on our web pages that people can obtain PGP from outside the U.S., since this obviously has been categorized as classified information) 2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act (PRA), unless that collection of information displays a currently valid OMB Control Number. This rule involves collections of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). (paperwork reduction act? maybe the person that wrote this should read that...) 4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (Sec. 5 U.S.C. 553(a)(1)). (see - no public participation, land of the free, eh?) encryption software controlled for ``EI'' reasons under ECCN 5E002 do not lose their U.S.- origin when redrawn, used, consulted, or otherwise commingled abroad in any respect with other software or technology of any other origin. (commingled?) Sec. 744.9. Restrictions on technical assistance by U.S. persons with respect to encryption items. (a) General prohibition. No U.S. person may, without a license from BXA, provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002. Note that this prohibition does not apply if the U.S. person providing the assistance has a license or is otherwise entitled to export the encryption commodities and software in question to the foreign person(s) receiving the assistance. Note in addition that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting, by itself would not establish the intent described in this section, even where foreign persons are present. (b) Definition of U.S. person. For purposes of this section, the term U.S. person includes: (1) Any individual who is a citizen or permanent resident alien of the United States; (so teaching is ok, but training isn't, of course) Encryption object code. Computer programs containing an encryption source code that has been compiled into a form of code that can be directly executed by a computer to perform an encryption function. (hey, maybe distributing encryption source is a-ok! If we do a Debian package that does the compilation as part of the install process, we aren't distributign encryption object code, are we?) There's more - but I think I've read enough. What a stupid law. There's no way it would stand up in court. It's basically just a recipe for harassment of people who don't act the way the government wants them too. With that in mind, I think the best policy is to just play "fast and loose" with the rules. I really doubt the government would ever actually charge someone under these rules without first ordering a "cease and desist". So don't try to do things to the letter of the law (or whatever it is), since the letter of the law can change at any time, depending on the whims of the bureaucrats in charge. Just don't make yourself a target, and you should be OK. Cheers, - Jim
Attachment:
pgpfFjdLg0hRR.pgp
Description: PGP signature